Test-Prep Flashcards
Which of the following is BEST represented by encrypting a message with a private key and having the message decrypted with the matching public key? A. Knapsack problem B. Zero-knowledge proof C. Key escrow D. Elliptic curves
Answer: B In cryptography, zero-knowledge proof can be represented by encrypting something with your private key. To decrypt something that was encrypted using a private key, you will need to use the corresponding public key. In this case, you know that the item was encrypted using the private key, but you never actually view or are given the public key. Only the owner of the private key can prove they have the key.
Which option refers to the component of the XML Key Management Specification 2.0 (XKMS 2.0) used for defining the protocols needed to register public key information? A. X-KISS B. XML-SIG C. XML-Enc D. X-KRSS
Answer: D XKMS 2.0 has two key components: XML Key Registration Service Specification (X-KRSS) and XML Key Information Service Specification (X-KISS). The X-KRSS specification defines the protocols needed to register public key information. X-KRSS can generate the key material, making key recovery simpler than when created manually. Applications can be coded to bind information, such as a me or identifier, to a public key. Once registered, the key can be used with X-KISS or a Public Key Infrastructure (PKI).
Which option should be addressed by the governance of cryptographic algorithms and systems at a minimum? A. Transition plans for replacing outdated keys B. The top web application security flaws and how they can be mitigated C. Industry-recommended cryptographic algorithms D. All keys that have been issued by the system
Answer: A All cryptographic algorithms and protocols eventually age and become compromised. IS professionals must test the cryptographic systems of their organization and replace the systems that are outdated. The governance of cryptographic algorithms and systems should address the following at a minimum: Transition plans for replacing outdated algorithms and keys Procedures for the use of cryptographic systems Approved cryptographic algorithms and key sizes Key generation, escrow, and destruction guidelines Incident reporting guidelines
Which is typically the NEXT step in the public key infrastructure (PKI) process after a digital certificate is requested by a user? A. The request is sent to the CA. B. The certificate is generated by the CA. C. The private and public key pair is created on the user’s machine. D. Identity information is processed by the RA.
Answer: D PKI is a set of policies, processes, server platforms, software, and workstations to administer certificates and public-private key pairs. PKI has the ability to issue, maintain, and revoke public key certificates. PKI provides security services for confidentiality, integrity, authentication, nonrepudiation, and access control, based on using private and public key cryptography. The key pairs are obtained through a trusted authority, a certificate authority (CA), and this enables PKI to provide digital certificates. When making a request for a digital certificate, there is a series of steps that are performed. After making the request for the certificate, the next step is for identity information to be processed. This is typically performed by a registration authority (RA) but can be performed by a CA if an RA is not being used. Once the certificate request is received by the RA, it requests identification information from the user that sent the request and verifies this information.
Which security standard consists of five principles and seven enablers? A. ISO/IEC 27001:2005 B. ITSEC C. COBIT version 5 D.ISO/IEC 15408
Answer: C Control Objects for Information and Related Technology (COBIT) is a security standard model that is mainly used as the basis for the integration of security in a company. COBIT version 5 consists of five principles and seven enablers.
Which statement is NOT true in relation to asymmetric cryptography? A. It has better key distribution than symmetric systems. B. It provides confidentiality but not authenticity or non-repudiation. C. It works much more slowly than symmetric keys. D. It has better scalability than symmetric systems.
Answer B. The ability to provide confidentiality, but not authenticity or non-repudiation is a weakness of symmetric key cryptography, not asymmetric key cryptography. In fact, one of the strengths of asymmetric cryptography is its ability to provide confidentiality, authentication, and non-repudiation.
Which component of an organization’s security program should management use to mandate that all employees wear photo ID badges, and that they are visible at all times? A. Procedure B. Informative security policy C. Guideline D. Baseline
Answer: D A baseline can be a technical or non-technical security document that enforces regulations within an organization. A non-technical baseline may be used to define security requirements for employees. By establishing, documenting, and adhering to the requirements, the company is implementing a baseline of protection. reference: all-in-one page 169
Identify a characteristic of external audits. A. It takes a specified amount of time to complete B. It has a high level of validity C. It includes a follow-up meeting after the audit, to verify that recommendations have been implemented D.It is conducted several times a year
Answer: B External audits are done by an outside auditing firm. They are considered to be highly valid and credible because the auditors are impartial and have no conflict of interest with the organization.
In terms of a Service Organization Control (SOC) 2 or SOC 3 audit, which step should be performed during the audit preparation phase? A. Collect data prior to doing on-site work to expedite the audit process. B. Provide management with a draft report to review. C. Analyze the collected information off-site. D. Hold meetings to identify alternatives and remediation plans.
Answer: D The audit preparation phase involves the security professionals working with the service provider to ensure everything is in place to perform a successful audit. The audit preparation phase should include the following steps: Identify the scope of the audit and the timeframe for which it will be conducted. Consult existing documentation and management to identify the current and required controls. Conduct a readiness review and report gaps to management. List prioritized recommendations for dealing with any gaps that were identified. Hold meetings to identify alternatives and remediation plans. Ensure identified gaps have been addressed prior to starting the audit phase. Decide on the best approach to use for the audit and reporting process, based on the service provider’s requirements.
What is used to support risk management decisions within an organization by continually keeping track of key performance and risk indicators? A. NIST SP 800-30 B. FRAP C. ISO 27001 D. ISCM
Answer: D Information security continuous monitoring (ISCM) is used to support risk management decisions within an organization. It does this by continually keeping track of vulnerabilities and threats to information security by monitoring certain metrics obtained from various sources. For example, metrics related to the different security controls implemented in the organization would be tracked by ISCM.
Which statement does NOT apply to application interface testing? (difference between application Integration and Interface). A. It determines whether the components of an application are working correctly with the hardware. B. It determines whether all supported browsers have been tested. C. It determines whether the recovery mechanisms are functioning properly. D. It determines whether control is passed from one component to another correctly.
Answer: A Integration testing is performed to determine whether the combined components of an application and the hardware it is running on are working correctly, not interface testing. For example, application integration testing would be performed to ensure the software is able to properly integrate with the system’s hardware to perform the tasks for which it was designed.
What can be used for synthetic performance monitoring of a web site? A. Microsoft System Center Operations Manager B. Polyinstantiation C. Security Information and Event Management D. Sandbox
Answer: A Microsoft System Center Operations Manager can be used to create synthetic transaction tests that will monitor TCP port usage and perform transactions against web sites and databases. The synthetic transaction tests can provide information about the performance of a web site by simulating a user logging on and browsing items.
Which consideration is LEAST important when implementing a security plan for an LDAP directory service? (Think of usability and integration) A. The capacity of the service to support the strongest security products B. The ratio of read to write operations that the directory supports C. The process for replicating data between the directory and other data sources D. The type of data that the directory stores
Answer: A It is important to analyze the specific security needs of a Lightweight Directory Access Protocol (LDAP) directory before designing a security plan. The characteristics of a directory, including its intended use, interoperation with other entities in a network, and administration requirements, determine appropriate security strategies. These strategies should provide an acceptable level of security without imposing unnecessary restrictions on users. The objective of security design for an LDAP directory is to implement an appropriate level of security, rather than to implement the strongest security measures available. An overly restrictive security plan is likely to hinder users and administrators.
Which of the following emphasizes resuming and maintaining business operations in financial institutions after a disaster? A. NYSE Rule 446 B. FFIEC C. SD Rule 3510 D. Electronic Funds Transfer Act
The Federal Financial Institutions Examination Council (FFIEC) provides a booklet on creating business continuity plans (BCPs). It specifies that a financial institution’s BCP should focus on resuming and maintaining business operations, rather than just on recovering technology. It also dictates that the planning process should occur across the enterprise. It states that the foundation of a good BCP includes a thorough business impact analysis (BIA) and risk assessment and that the BCP should be tested and audited independently.
An organization requires an identity management solution that uses a remote access authentication system to store information about users and applications. Which remote access authentication system should the organization use? A. TACACS+ B. RADIUS C. LDAP D. Diameter
Answer: C Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol for network directory services. LDAP systems store information about users, network resources, file systems, and applications. LDAP is supported by all the principal directory services, such as Microsoft Active Directory, Apache Directory Server, and Novell eDirectory.
What should a Service Organization Control (SOC) 1 report include? A. Control objectives B. Availability C. Privacy D. Disaster recovery
Answer: Three types of SOC reports exist: SOC 1, SOC 2, and SOC 3, each of which provides different information about performing audits. A SOC 1 report is used by service organizations to describe its system. It lists the control objectives, including the controls that are in place, to provide internal control over financial reporting (ICOFR).
What is a Type 1 error in biometric systems? A. The percentage of invalid subjects that the system falsely accepts B. The percentage of subjects that the system falsely rejects C. The rate at which FRR equals FAR D. The rate at which the system scans and authenticates subjects
Answer: B Type 1 error refers to the biometric system’s False Rejection Rate (FRR). The FRR gives the percentage of subjects that a system falsely rejects. In other words, this is the percentage of valid users who should have been granted access but were erroneously denied access by the biometric system. The FRR increases with increasing system sensitivity.
Which of the following increases the complexity of a software product?
A. Scrubbing
B. Branching
C. OCTAVE
D. SOMAP
Answer: B
Branching in a software product refers to the ability to execute different commands based on differing inputs. Due to the sheer number of potential inputs to many software programs, branching increases the level of complexity of the software product. It is very difficult to test all possible combinations of inputs, which can lead to defects in a software program that pose security risks to be hidden from the tests that are performed. This risk needs to be identified when designing a software assessment strategy, and measures need to be taken to identify the defects.
What is a minimum requirement when placing mission-critical systems in wiring closets or server rooms?
A. Install system control programs on all mission-critical systems.
B. Install an HVAC system that maintains positive pressurization to prevent air contamination.
C. Use electronic access control with all entry attempts logged by security systems.
D. Use power line conditioners to ensure that the systems are exposed only to transient noise.
Answer: C
Mission-critical systems should be located in wiring closets or in computer or telecommunications rooms that meet the following minimum requirements:
- The room should be locked with only authorized personnel allowed access.
- The room should NOT be accessible via a dropped ceiling, raised floor, window, ductwork, or point of entry other than the secured access point.
- Electronic access control should be used with all entry attempts logged by security systems.
- If possible, security personnel should monitor activity using security cameras with automatic recording.
Which technique is used to extend the capability of a role-based access control mechanism?
A. Polyinstantiation
B. Asset valuation
C. Temporal isolation
D. Scrubbing
Answer: C
Temporal isolation, or time-based access control, is often used in conjunction with other authentication methods, particularly role-based access control (RBAC). The combined mechanism is referred to as temporal role-based access control (TRBAC). TRBAC puts a time limit on roles that are assigned by using RBAC. For example, you can use TRBAC to assign a specific role to a user during working hours and a different role outside of working hours. You can also use TRBAC to assign time-based roles to objects based on their nature and content. This may be more efficient than assigning roles to users if there are more users than objects in a particular environment.
Which component of Software Defined Networking (SDN) is used to communicate network requirements to the SDN controller?
A. SDN control to data-plane interface
B. SDN application
C. SDN northbound interface
D. SDN datapath
SDN separates the network control plane from the data forwarding plane. This allows the control plane to control multiple devices. SDN applications use the SDN northbound interface (NBI) to communicate the network requirements of SDN applications to the SDN controller. The control plane can then configure the various network devices as required.
Which is typically the NEXT step in the public key infrastructure (PKI) process after a digital certificate is requested by a user?
A. The certificate is generated by the CA.
B. The private and public key pair is created on the user’s machine.
C. The request is sent to the CA.
D. Identity information is processed by the RA.
PKI is a set of policies, processes, server platforms, software, and workstations to administer certificates and public-private key pairs. PKI has the ability to issue, maintain, and revoke public key certificates. PKI provides security services for confidentiality, integrity, authentication, nonrepudiation, and access control, based on using private and public key cryptography. The key pairs are obtained through a trusted authority, a certificate authority (CA), and this enables PKI to provide digital certificates.
When making a request for a digital certificate, there is a series of steps that are performed. After making the request for the certificate, the next step is for identity information to be processed. This is typically performed by a registration authority (RA) but can be performed by a CA if an RA is not being used. Once the certificate request is received by the RA, it requests identification information from the user that sent the request and verifies this information.
Which type of cryptographic attack relies on the study of affine transformations to deduce the cipher’s exact behavior?
A. Algebraic attack
B. Linear cryptanalysis
C. Differential cryptanalysis
D. Side-channel attack
Answer: B
Linear cryptanalysis is a variation of the known plaintext attack that works against block ciphers. It employs affine transformation approximations to deduce the cipher’s exact behavior. It requires that the attacker has access to pieces of plaintext and corresponding ciphertext, and can yield information about the decryption key. There are several attacks that have developed from the linear cryptanalysis attack, including the differential-linear cryptanalysis attack, which incorporates aspects of both the differential and linear cryptanalysis attack.
Which cloud computing model is highly scalable and provides deployment automation?
A. Infrastructure as a service (IaaS)
B. Platform as a service (PaaS)
C. Software as a service (SaaS)
D. Security as a service (SECaaS)
Answer: A
IaaS is the most flexible cloud computing model. It allows an organization to quickly scale up new software or data-based services without installing the required hardware. The deployment of storage, servers, networking, and processing power can all be easily automated.
